Skip to content

Commit

Permalink
mm, security: Add lsm hook for set_mempolicy(2)
Browse files Browse the repository at this point in the history
In container environment, we don't want users to bind their memory to a
specific numa node, while we want to unit control memory resource with
kubelet. Therefore, add a new lsm hook for set_mempolicy(2), then we can
enforce fine-grained control over memory policy adjustment by the tasks in
a container.

Signed-off-by: Yafang Shao <laoar.shao@gmail.com>
  • Loading branch information
laoar authored and intel-lab-lkp committed Nov 12, 2023
1 parent 3d06b02 commit 7ebb483
Show file tree
Hide file tree
Showing 4 changed files with 19 additions and 0 deletions.
2 changes: 2 additions & 0 deletions include/linux/lsm_hook_defs.h
Original file line number Diff line number Diff line change
Expand Up @@ -423,3 +423,5 @@ LSM_HOOK(int, 0, uring_cmd, struct io_uring_cmd *ioucmd)
LSM_HOOK(int, 0, mbind, unsigned long start, unsigned long len,
unsigned long mode, const unsigned long __user *nmask,
unsigned long maxnode, unsigned int flags)
LSM_HOOK(int, 0, set_mempolicy, int mode, const unsigned long __user *nmask,
unsigned long maxnode)
8 changes: 8 additions & 0 deletions include/linux/security.h
Original file line number Diff line number Diff line change
Expand Up @@ -487,6 +487,8 @@ int security_locked_down(enum lockdown_reason what);
int security_mbind(unsigned long start, unsigned long len,
unsigned long mode, const unsigned long __user *nmask,
unsigned long maxnode, unsigned int flags);
int security_set_mempolicy(int mode, const unsigned long __user *nmask,
unsigned long maxnode);
#else /* CONFIG_SECURITY */

static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data)
Expand Down Expand Up @@ -1405,6 +1407,12 @@ static inline int security_mbind(unsigned long start, unsigned long len,
{
return 0;
}

static inline int security_set_mempolicy(int mode, const unsigned long __user *nmask,
unsigned long maxnode)
{
return 0;
}
#endif /* CONFIG_SECURITY */

#if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE)
Expand Down
4 changes: 4 additions & 0 deletions mm/mempolicy.c
Original file line number Diff line number Diff line change
Expand Up @@ -1581,6 +1581,10 @@ static long kernel_set_mempolicy(int mode, const unsigned long __user *nmask,
if (err)
return err;

err = security_set_mempolicy(mode, nmask, maxnode);
if (err)
return err;

return do_set_mempolicy(lmode, mode_flags, &nodes);
}

Expand Down
5 changes: 5 additions & 0 deletions security/security.c
Original file line number Diff line number Diff line change
Expand Up @@ -5344,3 +5344,8 @@ int security_mbind(unsigned long start, unsigned long len,
{
return call_int_hook(mbind, 0, start, len, mode, nmask, maxnode, flags);
}

int security_set_mempolicy(int mode, const unsigned long __user *nmask, unsigned long maxnode)
{
return call_int_hook(set_mempolicy, 0, mode, nmask, maxnode);
}

0 comments on commit 7ebb483

Please sign in to comment.